Two-Factor Authentication

​What Is It and Why You Should Use It

As the always-online world has continued to become an ever more dangerous place, the need for user authentication methods other than the old, not-so-reliable username/password combo has become evident.

Logins via the long-accepted username and password method have grown increasingly insecure. Unfortunately, many users make use of the same username and password or rotate through a small number of login combinations. This makes it easier for hackers who might have gained access to user data in the data breaches we seem to hear about almost daily.

Once a bad guy has your login to one website or online service, they consider it a good possibility that you may have used that same login information on other sites and services. Hackers can then try to use the login information to gain access to a user’s account on multiple websites, including banking, credit card and shopping sites.

Due to this problem, many websites, social networks, computer and mobile device makers have begun requiring users to use two-factor authentication to log in to their services, networks and devices.

In this article, I’ll explain what two-factor authentication is, how it works, how it increases the level of security for logins, what the drawbacks are and why you should use it if it’s available.

I’ll also discuss some of the companies and popular online services that use two-factor authentication to protect their customers’ logins and associated personal information.

What is Two-Factor Authentication?

Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA), is a method of authorizing a login using two pieces of authentication. The two pieces are usually defined as something the user has, and something the user knows.

Perhaps the best way to explain two-factor authentication is to use a situation most of my readers will be familiar with: withdrawing money from an Automatic Teller Machine (ATM).

Two things are required for an ATM withdrawal to be approved by your bank: your valid credit or debit card (what you have), and your 4-digit Personal Identification Number (PIN) (what you know).

Two-Factor Authentication can be made up of various factors, and it varies widely among organizations. Each of these methods have their own advantages and disadvantages.

1

Mobile Device Two-Factor Authentication

In order to use 2FA with your mobile device when you attempt to log in, the website or service in question will send a 4-digit or greater code to your smartphone or tablet via a text message. In some cases, you might be required to log into a passcode-generation app on your device to complete the login process.

This method uses two factors: the user’s access to their personal device, and the one-time temporary code that is furnished to them via a text message, notification or the passcode-generating app installed on the device.

This method carries with it a large number of both advantages and disadvantages.

Advantages:

check

No need to carry a token generator, as the process uses the user’s mobile device.

check

The passcodes are generated on the fly, making them more secure than static passwords.

check

A maximum number of passcode entries can be set, limiting the risk of passcode guessing.

check

The process is user-friendly.

Disadvantages:

The mobile device could be stolen, lost or damaged.

If the user is out of range of their carrier’s cellular network, the passcode message might not be received.

SIM cloning could give hackers access to the user’s mobile connection, allowing them to spoof their device.

2

​Token Generator Two-Factor Authentication

Other companies supply a key fob-like or credit card-like token generator the user can keep in their pocket, briefcase or purse.

The device flashes a new token number every 60 seconds, providing a one-time password as needed. This eliminates the need for a mobile device to receive a passcode. However, it does introduce its own unique issues.

While two-factor authentication certainly adds a much-needed layer of security to the login process, 2FA is not immune from hackers. In 2011, security company RSA revealed that its SecurID system, which makes use of authentication tokens, had been hacked.

Advantages:

check

​It doesn’t rely on the use of a mobile or other internet-connected device.

check

​It’s portable and can be kept in the user’s pocket, purse or briefcase.

check

It’s easy to use.

check

​The token refreshes after a set amount of time - no permanent passcode to steal.

Disadvantages:

​It’s easily lost or stolen from the user’s pocket, purse or briefcase.

Services That Use Two-Factor Authentication

In this section, we will be looking at some of the online services and other companies that use two-factor authentication to verify the identities of their users when they log in.

We’ll be taking a look at how Facebook, Twitter, Google, Apple and Microsoft make use of TFA. They each use the process a little differently from each other. For each company, we will look at how you can set up 2FA for use with the services, and how it works for logins.

1

Facebook

When you set up two-factor authentication for your Facebook account, you’ll be asked to enter a special security code or confirm your attempt to log in each time you (or someone else) tries to access your Facebook account on a computer or mobile device that Facebook doesn’t recognize.

To turn on two-factor authentication, do the following:

Go to the Security and Login Settings page by clicking the little down arrow in the upper-right hand corner of your Facebook page. Then click “Settings” -> “Security and Login.”

Scroll down the page until you see “Use two-factor authentication” and click “Edit.”

Select the authentication method you prefer to use and then follow the on-screen prompts.

Click “Enable” to turn on your selected method of authentication.

Available authentication methods include:

Text messages sent to your smartphone

Security codes created via Code Generator

Tapping your security key on a compatible device

hashtag

Security codes created by a third-party app

hashtag

Approving a login attempt from an unrecognized device

hashtag

Using a printed recovery code

Facebook says users can use as many authentication methods as they’d like, but at least text message codes need to be enabled, or you need to have both a security key and Code Generator enabled.

2

​Twitter

When you enable “login verification” for your Twitter account, you’ll be required to enter both a password and a code which will be sent to your smartphone when you attempt to log in to Twitter. By default, the 6-digit code will be sent via SMS text message. You can also use a third-party app for verification.

To turn on login verification for Twitter, do the following on Twitter.com:

In the top menu, click on your Twitter profile icon and then click “Settings and privacy.”

Click on your Account settings and then click “Set up login verification.”

Read the instructions there, if you wish, and then click “Start.”

Enter your password and then click “Verify.”

Click the “Send Code” button to add your mobile phone number. (If you already have a phone number connected to your account, Twitter will send a text to that number to confirm it.)

Once the code is sent to your phone, enter the code and click “Submit.”

Last, but certainly not least, click “Get Backup Code” to view a code you can use to access your account if you lose your smartphone or change your phone number. (Twitter recommends you take a screenshot for future reference.)

To use a third-party app for Twitter login verification, do the following on Twitter.com:

In the top menu, click on your Twitter profile icon and then click “Settings and privacy.”

Click on the “Account” tab.

Look under “Security,” next to Login verification, and click on the “Review your login verification methods” button.

Enter your password and click the “Confirm” button.

Click “Set up,” which is next to “Mobile security app.”

Read the instructions there, if that’s your thing, and then click “Start.”

You may be asked to enter your password. If so, enter it and click “Verify.”

A pop-up window will appear with a QR Code in it. Follow the instructions you’ll see there.

You will be required to scan the QR code to set up the third-party authentication app. You will then be provided with a 6-digit numeric code.

Enter the code in the “Security code” text field in the pop-up window.

Click “Done.”

Temporary Passwords

Once you enable login verification for your account on the web, you’ll be required to use a temporary password when you attempt to log in to Twitter on other devices, or in applications that require your Twitter password.

When Twitter detects that you need one, a temporary password will be sent via SMS text message. You can also generate your own temporary password.

3

​Google

When you enable 2-Step Verification for your Google account, you’ll log in using your usual password, but will also be required to enter a security code that will be sent to your smartphone.

To turn on login verification for Google, do the following on Google.com:

The next page offers a short explanation of how 2-Step Verification works. Read this if you wish. Click the “GET STARTED” button.

Log in.

Google will then ask you what phone number you’d like verification codes sent to. Verify the phone number if one is already filled in and edit it as needed. Select whether to receive the codes via text message or a voice call, then click “Send code.”

When you receive the 6-digit code, enter it and click the “Verify” button.

You will then be asked if you are using a “trusted computer.” If you’re on your home computer or on a work machine that only you use, check the box next to “Trust this computer” and click “Next.”

​Apple

With Apple’s “Two-Factor Authentication” enabled for your Apple ID, your account can only be accessed on trusted devices. These can include your iPhone, iPad or Mac. When you sign in to a new device for the first time, you’ll need to provide your password and a 6-digit verification code that will be displayed on your already-trusted devices.

To enable Two-Factor Authentication for your Apple ID, do the following:

If you're using iOS 10.3 or later:

Go to “Settings” -> “[your name]” -> “Password & Security.”

Tap “Turn on Two-Factor Authentication.”

Tap “Continue.”

If you're using iOS 10.2 or earlier:

Go to “Settings” -> “iCloud.”

Tap your Apple ID -> “Password & Security.”

Tap “Turn on Two-Factor Authentication.”

Tap “Continue.”

On your Mac computer, with Mac OS X El Capitan or later, do the following:

Click on the Apple logo in the upper-left-hand corner of your Mac’s Desktop.

In the pull-down menu that appears, click “System Preferences.”

In the System Preferences, click the “iCloud” icon.

On the iCloud screen, click “Account Details.”

Click “Security.”

Click “Turn On Two-Factor Authentication.”

5

​Microsoft

If you enable the Two-Step Verification process on your Microsoft account, you’ll be required to enter your password and a security code that you’ll receive via an email address, a phone number or an authenticator app.

To enable Two-Step Verification for your Microsoft account, do the following:

Continue with the setup process until you reach the finish line, then click “Done.” You may be asked to provide a verification code, which you will receive either via SMS or an alternate email address. Once the signup is complete, you’ll receive an email confirmation from Microsoft, which will be sent to your alternate email address.

What Else Do I Need to Know About Two-Factor Authentication?

1

Always Use Two-Factor Authentication on Your Email Accounts

So, which of your email accounts is the “most important account” that you should enable two-factor authentication on?

Answer: it’s any and all of them. Whether you use your email account for business or pleasure, it doesn’t matter. Hackers can cause you all kinds of grief if they can take control of your email account.

Think about it: how many websites or services have you signed up for over the years that ask you for your email address? Now, how many of those websites use your email account as your username? The mind boggles.

Even websites that don’t use your email for login purposes still use it as a contact method to reset your password if you forget it.

BAM! With your email under their control, hackers can start resetting the passwords that protect your important accounts. Accounts like the ones you have on your bank’s website, your credit card issuers, your favorite online merchants…

UGH! And believe you me, it isn’t any fun to try and get a mess like that sorted out if it happens!

2

​Protect Your Financial Accounts

Check with your bank or credit card issuer to find out if they offer two-factor authentication for when you’re logging into your account.

While not all banks or credit card companies currently offer 2FA, many do. Chase, Bank of America, Barclays US, Ally Bank and Capital One come to mind as financial institutions that offer 2FA to their customers.

There, you can check their list to see whether or not your firm protects you with 2FA, and if they do, what types of authentication they offer. The website offers lists covering backup providers, banks, cloud computing providers, communication firms and cryptocurrency websites.

3

One Password to Rule Them All

Perhaps the most important password you’ll ever use is the one that unlocks the encrypted vault that holds all of the passwords you’ve saved in your password manager app. Make sure your password app supports two-factor authentication

​Never Mark Your Device or Computer as “Trusted”

Many of the websites that you’ll log into via two-factor authentication allow you to mark your computer or mobile device as “trusted.” This disables two-factor authentication on the device, allowing you log in using only your password.

Do not do this! Marking a computer or device as “trusted” defeats the purpose of two-factor authentication, which is to protect you and your personal and financial information.

While going the trusted way might make future logins a bit easier, it also makes it easier for the bad guys to access your login-protected info if they’re ever able to get their hands on your device.

Of course, you don’t have to worry about that, right? No one ever loses their laptop or mobile device, or ever has one of them stolen, right? Right? (Now ends the “sarcasm” portion of our program.)

5

​What Happens if I Lock Myself Out?

If you use your smartphone for the second factor in your two-factor authentication logins, it’s logical that you might worry about losing your mobile device and getting locked out of your accounts. Luckily, most modern 2FA systems allow you to add a second phone number or even a second email address for just this reason.

Even if you lose your smartphone or other mobile device you use for authentication, you can usually get a security code via a voice call to your landline or second phone, or to an alternate email address.

An alternative method of protection against getting locked out that some companies provide is a special code that can be printed out and kept in a safe place. While this sounds old-fashioned, a piece of paper could save you a lot of hassle some day. (Don’t just copy the code and save it to your device. Think about it for a moment, and you’ll understand why you shouldn’t.)

6

How Do I Find Out if a Website Supports Two-Factor Authentication?

While we’ve covered the fact that many financial, social and cloud storage websites and services offer 2FA, there are also many websites connected to other industries that also offer the protection to their users.

Turn It On bills itself as “The Ultimate Guide to Two-Factor Authentication,” and whether that’s accurate or not, they do provide a large amount of information about 2FA-protected websites. All you have to do is enter the name or address of the website in question, and the Turn It On site will let you know whether 2FA is indeed supported.

The site can also provide step-by-step instructions on how to set up two-factor authentication on supported sites. In addition to offering a search function, they also offer a browsable list of tutorials, categorized by industry. Bookmark Turn it On - it will very likely come in handy sometime.

Action Steps

Two-Factor Authentication is a great way to help ensure that your online accounts remain secure, keeping your personal and business information away from the bad guys. With just a few steps, any user can make it tougher for hackers to steal their accounts.

1

Turn on Two-Factor Authentication When Possible

If any website, service, email provider or anything else you access online offers Two-Factor Authentication (2FA), enable it. Two-Factor Authentication ensures that even if another party learns your login information, they will not have enough information to access your accounts.

By requiring a second action on the user’s part to log in (a login code sent via email, text message or a code from a token generator), 2FA makes it much more difficult for unauthorized parties to access your accounts.

Facebook, Twitter, Apple, Google, Microsoft and many other social networks and online service providers now offer some form of two-factor authentication. In addition, many banking, credit card and shopping sites also offer the protection to their customers.

In most cases, it only takes a few moments to set up 2FA, and the benefits will easily outweigh the value of the time it takes you to get this protection in place.

3

Use a Password Manager That Supports Two-Factor Authentication

If you’re not using a password manager to protect and keep track of your online logins, get one now!

Many password managers are compatible with 2FA, making them a great way to easily log in to your favorite websites and other services while also protecting that valuable login and its associated personal and business information.

4

Never Click the “Mark This Device as Trusted” Box on a Website

While going the “trusted browser” route might make future logins easier for you, it also makes them easier for anyone who might find or steal your laptop or mobile device. This basically defeats the purpose of 2FA, which is to protect your logins and your information.

5

Lock Yourself Out of a Website? You Can Fix That!

It’s understandable that you might worry about getting locked out of a website if you use two-factor authentication. What happens if you lose your mobile device and can’t receive the 2FA code?

Most 2FA systems allow users to add a second phone number or a supplemental email address for just this type of situation. Even if the second phone number is a landline that’s not text message-compatible, many two-factor authentication systems can supply an authentication code via a voice message.

Many services can also provide a special code that can be printed out and saved in a safe place. Sure, it’s old school, but you’ll appreciate it if you need it. As I’ve mentioned before, don’t just copy and paste the code to your device’s notes app. If you lose the device, then you’ve lost the code.

6

​Check to See if Your Favorite Website or Service Supports 2FA

While not all websites and other online services provide a two-factor authentication option to their users, more of them are adding the option all of the time. If you’re curious whether or not your favorite website offers 2FA, you can visit Turn It On.

Turn It On allows you to search for information on whether or not a particular website or other online service offers the extra layer of security. In addition, the website provides step-by-step instructions for enabling 2FA on websites that offer it.

7

​Double Up on Your Protection

Two-Factor Authentication provides the additional layer of protection for your online accounts that makes a difference when keeping your valuable personal and business information safe from prying eyes.

By taking just a few moments on each website, you can easily add another wall between your information and the bad actors that would love to get their hands on it.